diff --git a/playbooks/groups/ipa.yml b/playbooks/groups/ipa.yml
index 36de721db3..226da3e8f3 100644
--- a/playbooks/groups/ipa.yml
+++ b/playbooks/groups/ipa.yml
@@ -58,6 +58,14 @@
     shell: printf "%b" "read_kt /etc/httpd/conf/ipa.keytab\nread_kt /etc/krb5.HTTP_id{{env_suffix}}.fedoraproject.org.keytab\nwrite_kt /etc/krb5.HTTP_id{{env_suffix}}.fedoraproject.org.keytab.combined" | ktutil
     tags:
     - krb5
+    - ipa/server
+  - name: Make IPA HTTP use the combined keytab
+    lineinfile: dest=/etc/httpd/conf.d/ipa.conf
+                regexp='GssapiCredStore keytab:'
+                line='  GssapiCredStore keytab:/etc/krb5.HTTP_id{{env_suffix}}.fedoraproject.org.keytab.combined'
+    tags:
+    - krb5
+    - ipa/server
 
 - name: do base role once more to revert any resolvconf changes
   hosts: ipa:ipa-stg